10 Tips for Buying Cyber Insurance

Exposure to network and data security breaches has rapidly grown in recent years, and the market for insurance to cover this risk has grown just as fast. With policies sold under names like “cyber insurance,” “privacy breach insurance” and “network security insurance,” the market for this coverage seems chaotic, with a wide variety of premiums and terms from one insurer to the next. So before you buy or renew a cyber insurance policy, be sure to understand these 10 guidelines.

Buy what You Need With all the bells and whistles now offered by some insurers, it’s important to stick to basics. Consider whether you really need the coverage’s being offered, and just say “no” if you don’t. The cyber insurance market is highly competitive, with many insurers currently focused on building market share, so one might be willing to give you coverage or terms that another won’t.

Limits of Liability One of the most important issues in negotiating cyber insurance is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Estimates vary, but one study found that, in 2011, the average organizational cost of a data breach involving the loss or theft of personal data was $5.5 million, or $194 per electronic record. Because cyber insurance isn’t particularly expensive, you should choose limits of liability in line with your total potential liability exposure in the event of a breach.

Get Retroactive Coverage Most cyber insurance policies limit coverage to breaches that occur after a specified “retroactive date.” In some, this date is the same as the policy’s inception date. This means there may be no coverage provided for claims made due to breaches that occurred before the policy period, even if the insured did not know about the breach when it bought the policy. Because breaches may go undiscovered for some time before claims are made, you should always ask for a retroactive date that is earlier than the inception date. This will ensure the coverage includes unknown breaches that occurred before the policy incepted but first give rise to a claim after it did.

Be Aware of Broadly Worded Exclusion It’s not uncommon to find cyber insurance provisions that contradict the basic purpose in buying the coverage. Some policies broadly exclude coverage for any liability arising from a breach of contract.

Be Aware of Panel and Consent Provisions Many cyber insurance policies require that any investigators, consultants or attorneys used by you to respond to a claim or potential claim be drawn from a list of professionals that have been preapproved by the insurer. If you have consultants or attorneys that you want to use in the event of a loss because they already know the business operations, it is a good idea to ask to add these professionals to the insurer’s preapproved list during underwriting.

Allocation of Defense Cost Where both covered and non-covered claims are asserted in the same lawsuit against you, an issue often arises regarding the proper allocation of defense costs: what portion of your defense costs must the insurer pay? There are a number of ways that insurance policies can respond in this situation, with some policy provisions being more advantageous to the you than others.

Obtain Coverage for Vendor Acts and Omission Chances are that at least a portion of your organization’s data processing and storage is outsourced to a third-party vendor. Therefore, it is important that your cyber insurance policy cover claims against you that result from breaches caused by your data management vendors.

Dovetail Cyber Insurance with Indemnity Agreements You should also make sure that your cyber insurance and vendor indemnity agreements complement each other so you can maximize your recovery from both sources.

Align Cyber Insurance with Other Insurance Some cyber insurance policies also cover data management vendors. There may be business reasons for wanting vendors to be insured under your policy in a particular case, but it's generally better to contractually require your vendors to buy their own cyber insurance to act as the primary coverage and name you as an insured. Then, arrange for your policy to state that it will only apply to third parties in excess of that vendor’s insurance. This structure can reduce the odds that your insurance policy limits will be depleted by claims for which your vendors are primarily responsible.

Get a Partial Subrogation Waiver If your insurer pays a loss, it may become “subrogated” to your claims against any third parties that were responsible for causing the breach. This means that the insurer can try to recoup its payment by pursuing your claims against the responsible parties. Many cyber insurance policies contain a provision stating that you cannot take any action to impair the insurer’s subrogation rights.

ABOUT THE AUTHOR

Jay Shelton

Jay Shelton is the Senior Vice President of Executive Risk at Assurance. With nearly 20 years of experience in the risk management experience, Jay leads the Executive Risk Team which focuses on both publicly traded and privately held Directors & Officers Liability, Errors & Omissions, Cyber, Crime, Employment Practices, Management Liability and other executive management coverages. His main responsibility is to identify and evaluate clients’ exposure and implement programs that will minimize risk. Jay is a veteran of the United States Marine Corps. He earned a Master's degree in Business Administration from Notre Dame University and Bachelor of Science degree in Criminal Justice from Indiana University. Jay is a member of the American Society of Safety Engineers, Professional Liability Underwriter Society (PLUS) and Risk Management Society (RIMS).